npm - gitlab-ai-provider - Versions diffs - 6.0.0 → 6.1.1 - Mend

gitlab-ai-provider 6.0.0 → 6.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +15 -0
package/dist/gitlab-ai-provider-6.1.1.tgz +0 -0
package/dist/index.d.mts +64 -1
package/dist/index.d.ts +64 -1
package/dist/index.js +127 -10
package/dist/index.js.map +1 -1
package/dist/index.mjs +127 -10
package/dist/index.mjs.map +1 -1
package/package.json +1 -1
package/dist/gitlab-ai-provider-6.0.0.tgz +0 -0

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,21 @@
 All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+## <small>6.1.1 (2026-03-29)</small>
+- fix: update dist ([9f4b816](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/9f4b816))
+## 6.1.0 (2026-03-29)
+- fix(approval): defer stream close while approval is pending and send rejection to DWS ([9344828](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/9344828))
+- feat(client): emit approval-required event for TOOL_CALL_APPROVAL_REQUIRED checkpoints ([500eff1](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/500eff1))
+- feat(model): add approveAndResume, sessionPreapprovedTools, processedRequestIDs dedup ([f543831](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/f543831))
+- feat(model): add public approvalHandler getter/setter for external wiring ([ee075b9](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/ee075b9))
+- feat(options): add agentPrivileges to GitLabWorkflowOptions for testing approval flow ([475f2c7](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/475f2c7))
+- feat(types): add ApprovalDecision, approval on StartRequest, approval-required event ([9a4ccf4](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/9a4ccf4))
+- chore: rebuild dist with approval integration changes ([d66deb9](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/d66deb9))
+- chore: rebuild dist with approval integration changes ([daacc33](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/daacc33))
 ## 6.0.0 (2026-03-26)
 - feat!: migrate to AI SDK v6 (LanguageModelV3) ([21c1165](https://gitlab.com/vglafirov/gitlab-ai-provider/commit/21c1165))

package/dist/gitlab-ai-provider-6.1.1.tgz ADDED Viewed

Binary file

package/dist/index.d.mts CHANGED Viewed

@@ -346,6 +346,17 @@ interface StartRequest {
     preapproved_tools?: string[];
     flowConfig?: unknown;
     flowConfigSchemaVersion?: string;
+    approval?: ApprovalDecision;
+}
+interface ApprovalDecision {
+    approval?: {
+        remember_approval?: boolean;
+        tool_name?: string;
+        tool_args_json?: string;
+    };
+    rejection?: {
+        message?: string;
+    };
 }
 interface ActionResponsePayload {
     requestID: string;
@@ -551,6 +562,25 @@ interface GitLabWorkflowOptions {
      * @returns The selected model ref, or null/undefined for default
      */
     onSelectModel?: (models: AiModel[]) => Promise<string | null | undefined>;
+    /**
+     * Agent privileges to request when creating the workflow.
+     * Defaults to DEFAULT_AGENT_PRIVILEGES (all privileges).
+     * Pass a subset to restrict which tools DWS pre-approves server-side,
+     * causing TOOL_CALL_APPROVAL_REQUIRED for excluded privileges.
+     */
+    agentPrivileges?: number[];
+    /**
+     * Called when DWS requires approval for a tool call.
+     * Return `{ approved: true }` to proceed or `{ approved: false, message? }` to reject.
+     * If not set, the stream ends silently when approval is required (backward compat).
+     */
+    approvalHandler?: (tools: Array<{
+        name: string;
+        args: string;
+    }>) => Promise<{
+        approved: boolean;
+        message?: string;
+    }>;
 }
 interface GitLabWorkflowClientConfig {
     /** GitLab instance URL (e.g., 'https://gitlab.com') */
@@ -584,6 +614,12 @@ type WorkflowClientEvent = {
     requestID: string;
     toolName: string;
     data: Record<string, unknown>;
+} | {
+    type: 'approval-required';
+    tools: Array<{
+        name: string;
+        args: string;
+    }>;
 } | {
     type: 'completed';
 } | {
@@ -713,6 +749,31 @@ declare class GitLabWorkflowLanguageModel implements LanguageModelV3 {
         inputTokens: number;
         outputTokens: number;
     }) => void) | null;
+    /**
+     * Tool names pre-approved for the current session.
+     * Set by the host (e.g., opencode) and merged into preapproved_tools on each StartRequest.
+     * Updated when the user chooses "always" in the approval prompt.
+     */
+    sessionPreapprovedTools: string[];
+    /**
+     * Set the approval handler callback.
+     * Called when DWS requires tool call approval. Host (e.g., opencode) wires this
+     * to its permission system each stream call, similar to toolExecutor.
+     */
+    set approvalHandler(handler: ((tools: Array<{
+        name: string;
+        args: string;
+    }>) => Promise<{
+        approved: boolean;
+        message?: string;
+    }>) | null);
+    get approvalHandler(): ((tools: Array<{
+        name: string;
+        args: string;
+    }>) => Promise<{
+        approved: boolean;
+        message?: string;
+    }>) | null;
     /**
      * Optional callback invoked when multiple workflow models are available
      * and the user should pick one. Set per-stream by the host (e.g., OpenCode)
@@ -795,6 +856,7 @@ declare class GitLabWorkflowLanguageModel implements LanguageModelV3 {
     private processCheckpoint;
     private executeToolAndRespond;
     private cleanupClient;
+    private approveAndResume;
     private buildWorkflowMetadata;
     private getGitInfo;
     /**
@@ -1444,6 +1506,7 @@ declare class GitLabWorkflowClient {
     private buildWebSocketUrl;
     private buildWebSocketHeaders;
     private handleAction;
+    private extractApprovalTools;
     private send;
     private sendHeartbeatIfNeeded;
     private emit;
@@ -1620,4 +1683,4 @@ interface WorkflowDiscoveryResult {
 }
 declare function discoverWorkflowModels(config: WorkflowDiscoveryConfig, options: WorkflowDiscoveryOptions): Promise<WorkflowDiscoveryResult>;
-export { AGENT_PRIVILEGES, type ActionResponsePayload, type AdditionalContext, type AiChatAvailableModels, type AiModel, BUNDLED_CLIENT_ID, CLIENT_VERSION, type ClientEvent, DEFAULT_AGENT_PRIVILEGES, DEFAULT_AI_GATEWAY_URL, DEFAULT_CLIENT_CAPABILITIES, DEFAULT_WORKFLOW_DEFINITION, type DirectAccessToken, type DiscoveredModels, type DiscoveredWorkflowModel, GITLAB_COM_URL, type GenerateTokenResponse, type GitLabAgenticOptions, type GitLabAnthropicConfig, GitLabAnthropicLanguageModel, GitLabDirectAccessClient, type GitLabDirectAccessConfig, GitLabError, type GitLabErrorOptions, GitLabModelCache, GitLabModelConfigRegistry, GitLabModelDiscovery, GitLabOAuthManager, type GitLabOAuthTokenResponse, type GitLabOAuthTokens, type GitLabOpenAIConfig, GitLabOpenAILanguageModel, type GitLabProject, GitLabProjectCache, GitLabProjectDetector, type GitLabProjectDetectorConfig, type GitLabProvider, type GitLabProviderSettings, GitLabWorkflowClient, type GitLabWorkflowClientConfig, GitLabWorkflowLanguageModel, type GitLabWorkflowLanguageModelConfig, type GitLabWorkflowOptions, GitLabWorkflowTokenClient, MODEL_ID_TO_ANTHROPIC_MODEL, MODEL_MAPPINGS, type McpToolDefinition, type ModelCacheEntry, type ModelConfig, type ModelConfigRegistryOptions, type ModelDiscoveryConfig, type ModelMapping, type ModelProvider, type NewCheckpoint, OAUTH_SCOPES, OPENCODE_GITLAB_AUTH_CLIENT_ID, type OpenAIApiType, type OpenCodeAuth, type OpenCodeAuthApi, type OpenCodeAuthOAuth, type RunMcpTool, type StartRequest, TOKEN_EXPIRY_SKEW_MS, VERSION, WORKFLOW_ENVIRONMENT, WS_HEARTBEAT_INTERVAL_MS, WS_KEEPALIVE_PING_INTERVAL_MS, type WorkflowAction, type WorkflowClientEvent, type WorkflowDiscoveryConfig, type WorkflowDiscoveryOptions, type WorkflowDiscoveryResult, type WorkflowStatus, type WorkflowToolExecutor, WorkflowType, type WorkflowWebSocketOptions, createGitLab, discoverWorkflowModels, getAnthropicModelForModelId, getModelMapping, getOpenAIApiType, getOpenAIModelForModelId, getProviderForModelId, getValidModelsForProvider, getWorkflowModelRef, gitlab, isResponsesApiModel, isWorkflowModel, parseModelsYml };
+export { AGENT_PRIVILEGES, type ActionResponsePayload, type AdditionalContext, type AiChatAvailableModels, type AiModel, type ApprovalDecision, BUNDLED_CLIENT_ID, CLIENT_VERSION, type ClientEvent, DEFAULT_AGENT_PRIVILEGES, DEFAULT_AI_GATEWAY_URL, DEFAULT_CLIENT_CAPABILITIES, DEFAULT_WORKFLOW_DEFINITION, type DirectAccessToken, type DiscoveredModels, type DiscoveredWorkflowModel, GITLAB_COM_URL, type GenerateTokenResponse, type GitLabAgenticOptions, type GitLabAnthropicConfig, GitLabAnthropicLanguageModel, GitLabDirectAccessClient, type GitLabDirectAccessConfig, GitLabError, type GitLabErrorOptions, GitLabModelCache, GitLabModelConfigRegistry, GitLabModelDiscovery, GitLabOAuthManager, type GitLabOAuthTokenResponse, type GitLabOAuthTokens, type GitLabOpenAIConfig, GitLabOpenAILanguageModel, type GitLabProject, GitLabProjectCache, GitLabProjectDetector, type GitLabProjectDetectorConfig, type GitLabProvider, type GitLabProviderSettings, GitLabWorkflowClient, type GitLabWorkflowClientConfig, GitLabWorkflowLanguageModel, type GitLabWorkflowLanguageModelConfig, type GitLabWorkflowOptions, GitLabWorkflowTokenClient, MODEL_ID_TO_ANTHROPIC_MODEL, MODEL_MAPPINGS, type McpToolDefinition, type ModelCacheEntry, type ModelConfig, type ModelConfigRegistryOptions, type ModelDiscoveryConfig, type ModelMapping, type ModelProvider, type NewCheckpoint, OAUTH_SCOPES, OPENCODE_GITLAB_AUTH_CLIENT_ID, type OpenAIApiType, type OpenCodeAuth, type OpenCodeAuthApi, type OpenCodeAuthOAuth, type RunMcpTool, type StartRequest, TOKEN_EXPIRY_SKEW_MS, VERSION, WORKFLOW_ENVIRONMENT, WS_HEARTBEAT_INTERVAL_MS, WS_KEEPALIVE_PING_INTERVAL_MS, type WorkflowAction, type WorkflowClientEvent, type WorkflowDiscoveryConfig, type WorkflowDiscoveryOptions, type WorkflowDiscoveryResult, type WorkflowStatus, type WorkflowToolExecutor, WorkflowType, type WorkflowWebSocketOptions, createGitLab, discoverWorkflowModels, getAnthropicModelForModelId, getModelMapping, getOpenAIApiType, getOpenAIModelForModelId, getProviderForModelId, getValidModelsForProvider, getWorkflowModelRef, gitlab, isResponsesApiModel, isWorkflowModel, parseModelsYml };

package/dist/index.d.ts CHANGED Viewed

@@ -346,6 +346,17 @@ interface StartRequest {
     preapproved_tools?: string[];
     flowConfig?: unknown;
     flowConfigSchemaVersion?: string;
+    approval?: ApprovalDecision;
+}
+interface ApprovalDecision {
+    approval?: {
+        remember_approval?: boolean;
+        tool_name?: string;
+        tool_args_json?: string;
+    };
+    rejection?: {
+        message?: string;
+    };
 }
 interface ActionResponsePayload {
     requestID: string;
@@ -551,6 +562,25 @@ interface GitLabWorkflowOptions {
      * @returns The selected model ref, or null/undefined for default
      */
     onSelectModel?: (models: AiModel[]) => Promise<string | null | undefined>;
+    /**
+     * Agent privileges to request when creating the workflow.
+     * Defaults to DEFAULT_AGENT_PRIVILEGES (all privileges).
+     * Pass a subset to restrict which tools DWS pre-approves server-side,
+     * causing TOOL_CALL_APPROVAL_REQUIRED for excluded privileges.
+     */
+    agentPrivileges?: number[];
+    /**
+     * Called when DWS requires approval for a tool call.
+     * Return `{ approved: true }` to proceed or `{ approved: false, message? }` to reject.
+     * If not set, the stream ends silently when approval is required (backward compat).
+     */
+    approvalHandler?: (tools: Array<{
+        name: string;
+        args: string;
+    }>) => Promise<{
+        approved: boolean;
+        message?: string;
+    }>;
 }
 interface GitLabWorkflowClientConfig {
     /** GitLab instance URL (e.g., 'https://gitlab.com') */
@@ -584,6 +614,12 @@ type WorkflowClientEvent = {
     requestID: string;
     toolName: string;
     data: Record<string, unknown>;
+} | {
+    type: 'approval-required';
+    tools: Array<{
+        name: string;
+        args: string;
+    }>;
 } | {
     type: 'completed';
 } | {
@@ -713,6 +749,31 @@ declare class GitLabWorkflowLanguageModel implements LanguageModelV3 {
         inputTokens: number;
         outputTokens: number;
     }) => void) | null;
+    /**
+     * Tool names pre-approved for the current session.
+     * Set by the host (e.g., opencode) and merged into preapproved_tools on each StartRequest.
+     * Updated when the user chooses "always" in the approval prompt.
+     */
+    sessionPreapprovedTools: string[];
+    /**
+     * Set the approval handler callback.
+     * Called when DWS requires tool call approval. Host (e.g., opencode) wires this
+     * to its permission system each stream call, similar to toolExecutor.
+     */
+    set approvalHandler(handler: ((tools: Array<{
+        name: string;
+        args: string;
+    }>) => Promise<{
+        approved: boolean;
+        message?: string;
+    }>) | null);
+    get approvalHandler(): ((tools: Array<{
+        name: string;
+        args: string;
+    }>) => Promise<{
+        approved: boolean;
+        message?: string;
+    }>) | null;
     /**
      * Optional callback invoked when multiple workflow models are available
      * and the user should pick one. Set per-stream by the host (e.g., OpenCode)
@@ -795,6 +856,7 @@ declare class GitLabWorkflowLanguageModel implements LanguageModelV3 {
     private processCheckpoint;
     private executeToolAndRespond;
     private cleanupClient;
+    private approveAndResume;
     private buildWorkflowMetadata;
     private getGitInfo;
     /**
@@ -1444,6 +1506,7 @@ declare class GitLabWorkflowClient {
     private buildWebSocketUrl;
     private buildWebSocketHeaders;
     private handleAction;
+    private extractApprovalTools;
     private send;
     private sendHeartbeatIfNeeded;
     private emit;
@@ -1620,4 +1683,4 @@ interface WorkflowDiscoveryResult {
 }
 declare function discoverWorkflowModels(config: WorkflowDiscoveryConfig, options: WorkflowDiscoveryOptions): Promise<WorkflowDiscoveryResult>;
-export { AGENT_PRIVILEGES, type ActionResponsePayload, type AdditionalContext, type AiChatAvailableModels, type AiModel, BUNDLED_CLIENT_ID, CLIENT_VERSION, type ClientEvent, DEFAULT_AGENT_PRIVILEGES, DEFAULT_AI_GATEWAY_URL, DEFAULT_CLIENT_CAPABILITIES, DEFAULT_WORKFLOW_DEFINITION, type DirectAccessToken, type DiscoveredModels, type DiscoveredWorkflowModel, GITLAB_COM_URL, type GenerateTokenResponse, type GitLabAgenticOptions, type GitLabAnthropicConfig, GitLabAnthropicLanguageModel, GitLabDirectAccessClient, type GitLabDirectAccessConfig, GitLabError, type GitLabErrorOptions, GitLabModelCache, GitLabModelConfigRegistry, GitLabModelDiscovery, GitLabOAuthManager, type GitLabOAuthTokenResponse, type GitLabOAuthTokens, type GitLabOpenAIConfig, GitLabOpenAILanguageModel, type GitLabProject, GitLabProjectCache, GitLabProjectDetector, type GitLabProjectDetectorConfig, type GitLabProvider, type GitLabProviderSettings, GitLabWorkflowClient, type GitLabWorkflowClientConfig, GitLabWorkflowLanguageModel, type GitLabWorkflowLanguageModelConfig, type GitLabWorkflowOptions, GitLabWorkflowTokenClient, MODEL_ID_TO_ANTHROPIC_MODEL, MODEL_MAPPINGS, type McpToolDefinition, type ModelCacheEntry, type ModelConfig, type ModelConfigRegistryOptions, type ModelDiscoveryConfig, type ModelMapping, type ModelProvider, type NewCheckpoint, OAUTH_SCOPES, OPENCODE_GITLAB_AUTH_CLIENT_ID, type OpenAIApiType, type OpenCodeAuth, type OpenCodeAuthApi, type OpenCodeAuthOAuth, type RunMcpTool, type StartRequest, TOKEN_EXPIRY_SKEW_MS, VERSION, WORKFLOW_ENVIRONMENT, WS_HEARTBEAT_INTERVAL_MS, WS_KEEPALIVE_PING_INTERVAL_MS, type WorkflowAction, type WorkflowClientEvent, type WorkflowDiscoveryConfig, type WorkflowDiscoveryOptions, type WorkflowDiscoveryResult, type WorkflowStatus, type WorkflowToolExecutor, WorkflowType, type WorkflowWebSocketOptions, createGitLab, discoverWorkflowModels, getAnthropicModelForModelId, getModelMapping, getOpenAIApiType, getOpenAIModelForModelId, getProviderForModelId, getValidModelsForProvider, getWorkflowModelRef, gitlab, isResponsesApiModel, isWorkflowModel, parseModelsYml };
+export { AGENT_PRIVILEGES, type ActionResponsePayload, type AdditionalContext, type AiChatAvailableModels, type AiModel, type ApprovalDecision, BUNDLED_CLIENT_ID, CLIENT_VERSION, type ClientEvent, DEFAULT_AGENT_PRIVILEGES, DEFAULT_AI_GATEWAY_URL, DEFAULT_CLIENT_CAPABILITIES, DEFAULT_WORKFLOW_DEFINITION, type DirectAccessToken, type DiscoveredModels, type DiscoveredWorkflowModel, GITLAB_COM_URL, type GenerateTokenResponse, type GitLabAgenticOptions, type GitLabAnthropicConfig, GitLabAnthropicLanguageModel, GitLabDirectAccessClient, type GitLabDirectAccessConfig, GitLabError, type GitLabErrorOptions, GitLabModelCache, GitLabModelConfigRegistry, GitLabModelDiscovery, GitLabOAuthManager, type GitLabOAuthTokenResponse, type GitLabOAuthTokens, type GitLabOpenAIConfig, GitLabOpenAILanguageModel, type GitLabProject, GitLabProjectCache, GitLabProjectDetector, type GitLabProjectDetectorConfig, type GitLabProvider, type GitLabProviderSettings, GitLabWorkflowClient, type GitLabWorkflowClientConfig, GitLabWorkflowLanguageModel, type GitLabWorkflowLanguageModelConfig, type GitLabWorkflowOptions, GitLabWorkflowTokenClient, MODEL_ID_TO_ANTHROPIC_MODEL, MODEL_MAPPINGS, type McpToolDefinition, type ModelCacheEntry, type ModelConfig, type ModelConfigRegistryOptions, type ModelDiscoveryConfig, type ModelMapping, type ModelProvider, type NewCheckpoint, OAUTH_SCOPES, OPENCODE_GITLAB_AUTH_CLIENT_ID, type OpenAIApiType, type OpenCodeAuth, type OpenCodeAuthApi, type OpenCodeAuthOAuth, type RunMcpTool, type StartRequest, TOKEN_EXPIRY_SKEW_MS, VERSION, WORKFLOW_ENVIRONMENT, WS_HEARTBEAT_INTERVAL_MS, WS_KEEPALIVE_PING_INTERVAL_MS, type WorkflowAction, type WorkflowClientEvent, type WorkflowDiscoveryConfig, type WorkflowDiscoveryOptions, type WorkflowDiscoveryResult, type WorkflowStatus, type WorkflowToolExecutor, WorkflowType, type WorkflowWebSocketOptions, createGitLab, discoverWorkflowModels, getAnthropicModelForModelId, getModelMapping, getOpenAIApiType, getOpenAIModelForModelId, getProviderForModelId, getValidModelsForProvider, getWorkflowModelRef, gitlab, isResponsesApiModel, isWorkflowModel, parseModelsYml };

package/dist/index.js CHANGED Viewed

@@ -1653,7 +1653,7 @@ var GitLabOpenAILanguageModel = class {
 var import_isomorphic_ws = __toESM(require("isomorphic-ws"));
 // src/version.ts
-var VERSION = true ? "5.3.3" : "0.0.0-dev";
+var VERSION = true ? "6.1.0" : "0.0.0-dev";
 // src/gitlab-workflow-types.ts
 var WorkflowType = /* @__PURE__ */ ((WorkflowType2) => {
@@ -1879,7 +1879,9 @@ var GitLabWorkflowClient = class {
         });
       } else if (checkpoint.status === "STOPPED" || checkpoint.status === "CANCELLED") {
         this.emit({ type: "completed" });
-      } else if (checkpoint.status === "TOOL_CALL_APPROVAL_REQUIRED" || checkpoint.status === "PLAN_APPROVAL_REQUIRED") {
+      } else if (checkpoint.status === "TOOL_CALL_APPROVAL_REQUIRED") {
+        this.emit({ type: "approval-required", tools: this.extractApprovalTools(checkpoint) });
+      } else if (checkpoint.status === "PLAN_APPROVAL_REQUIRED") {
         this.emit({ type: "completed" });
       }
       return;
@@ -1918,6 +1920,18 @@ var GitLabWorkflowClient = class {
       }
     }
   }
+  extractApprovalTools(checkpoint) {
+    if (!checkpoint.checkpoint) return [];
+    let parsed;
+    try {
+      parsed = JSON.parse(checkpoint.checkpoint);
+    } catch {
+      return [];
+    }
+    return (parsed.channel_values?.ui_chat_log ?? []).filter(
+      (e) => e.message_type === "request" && e.tool_info !== null
+    ).map((e) => ({ name: e.tool_info.name, args: JSON.stringify(e.tool_info.args) }));
+  }
   send(event) {
     if (this.socket?.readyState === import_isomorphic_ws.default.OPEN) {
       const json = JSON.stringify(event);
@@ -3089,6 +3103,23 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
    * the AI SDK only surfaces usage via finish-step at stream end.
    */
   onUsageUpdate = null;
+  /**
+   * Tool names pre-approved for the current session.
+   * Set by the host (e.g., opencode) and merged into preapproved_tools on each StartRequest.
+   * Updated when the user chooses "always" in the approval prompt.
+   */
+  sessionPreapprovedTools = [];
+  /**
+   * Set the approval handler callback.
+   * Called when DWS requires tool call approval. Host (e.g., opencode) wires this
+   * to its permission system each stream call, similar to toolExecutor.
+   */
+  set approvalHandler(handler) {
+    this.workflowOptions.approvalHandler = handler ?? void 0;
+  }
+  get approvalHandler() {
+    return this.workflowOptions.approvalHandler ?? null;
+  }
   /**
    * Optional callback invoked when multiple workflow models are available
    * and the user should pick one. Set per-stream by the host (e.g., OpenCode)
@@ -3390,7 +3421,10 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
     const goal = this.extractGoalFromPrompt(options.prompt);
     const modelRef = await this.resolveModelRef();
     const mcpTools = this.extractMcpTools(options);
-    const preapprovedTools = this.workflowOptions.preapprovedTools ?? mcpTools.map((t) => t.name);
+    const preapprovedTools = [
+      ...this.workflowOptions.preapprovedTools ?? mcpTools.map((t) => t.name),
+      ...this.sessionPreapprovedTools
+    ];
     const additionalContext = this.buildAdditionalContext(options.prompt);
     const toolExecutor = this.toolExecutor ?? null;
     const availableToolNames = new Set(options.tools?.map((t) => t.name) ?? []);
@@ -3406,7 +3440,8 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
       workflowId = await this.tokenClient.createWorkflow(goal, {
         projectId,
         namespaceId: this.workflowOptions.namespaceId,
-        workflowDefinition: this.workflowOptions.workflowDefinition
+        workflowDefinition: this.workflowOptions.workflowDefinition,
+        agentPrivileges: this.workflowOptions.agentPrivileges
       });
       this.currentWorkflowId = workflowId;
     }
@@ -3418,11 +3453,13 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
       streamedInputChars: 0,
       streamedOutputChars: 0,
       pendingToolCount: 0,
+      approvalPending: false,
       deferredClose: null,
       activeTextBlockId: null,
       agentMessageEmitted: new Map(this.persistedAgentEmitted),
       currentAgentMessageId: "",
-      activeClient: wsClient
+      activeClient: wsClient,
+      processedRequestIDs: /* @__PURE__ */ new Set()
     };
     for (const msg of options.prompt) {
       if (msg.role === "system") {
@@ -3435,6 +3472,7 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
         }
       }
     }
+    let startReq;
     const stream = new ReadableStream({
       start: async (controller) => {
         try {
@@ -3455,7 +3493,8 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
                 wsClient,
                 toolExecutor,
                 () => `text-${textBlockCounter++}`,
-                availableToolNames
+                availableToolNames,
+                startReq
               );
             }
           );
@@ -3477,7 +3516,7 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
           const trimmedPreapproved = preapprovedTools.filter(
             (name) => trimmed.mcpTools.some((t) => t.name === name)
           );
-          const startReq = {
+          startReq = {
             workflowID: workflowId,
             clientVersion: CLIENT_VERSION,
             workflowDefinition: workflowDef,
@@ -3542,7 +3581,7 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
   // ---------------------------------------------------------------------------
   // Event handling
   // ---------------------------------------------------------------------------
-  handleWorkflowEvent(ss, event, controller, wsClient, toolExecutor, nextTextId, availableToolNames) {
+  handleWorkflowEvent(ss, event, controller, wsClient, toolExecutor, nextTextId, availableToolNames, startReq) {
     if (ss.streamClosed) {
       return;
     }
@@ -3553,6 +3592,8 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
       }
       case "tool-request": {
         const { requestID, data } = event;
+        if (ss.processedRequestIDs.has(requestID)) break;
+        ss.processedRequestIDs.add(requestID);
         let parsedArgs;
         try {
           JSON.parse(data.args);
@@ -3599,6 +3640,8 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
         break;
       }
       case "builtin-tool-request": {
+        if (ss.processedRequestIDs.has(event.requestID)) break;
+        ss.processedRequestIDs.add(event.requestID);
         const mapped = mapBuiltinTool(event.toolName, event.data, availableToolNames);
         const mappedArgs = JSON.stringify(mapped.args);
         if (ss.activeTextBlockId) {
@@ -3639,6 +3682,26 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
         });
         break;
       }
+      case "approval-required": {
+        ss.approvalPending = true;
+        this.approveAndResume(
+          ss,
+          event.tools,
+          startReq,
+          controller,
+          toolExecutor,
+          nextTextId,
+          availableToolNames
+        ).catch(() => {
+          ss.approvalPending = false;
+          if (ss.deferredClose) {
+            const close = ss.deferredClose;
+            ss.deferredClose = null;
+            close();
+          }
+        });
+        break;
+      }
       case "completed": {
         if (ss.activeTextBlockId) {
           controller.enqueue({ type: "text-end", id: ss.activeTextBlockId });
@@ -3657,7 +3720,7 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
           controller.close();
           this.cleanupClient(ss);
         };
-        if (ss.pendingToolCount > 0) {
+        if (ss.pendingToolCount > 0 || ss.approvalPending) {
           ss.deferredClose = doCompleteClose;
         } else {
           ss.deferredClose = null;
@@ -3716,7 +3779,7 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
             this.cleanupClient(ss);
           }
         };
-        if (ss.pendingToolCount > 0) {
+        if (ss.pendingToolCount > 0 || ss.approvalPending) {
           ss.deferredClose = doClose;
         } else {
           ss.deferredClose = null;
@@ -3892,6 +3955,60 @@ var GitLabWorkflowLanguageModel = class _GitLabWorkflowLanguageModel {
       this.persistedAgentEmitted.clear();
     }
   }
+  async approveAndResume(ss, tools, startReq, controller, toolExecutor, nextTextId, availableToolNames) {
+    const handler = this.workflowOptions.approvalHandler;
+    if (!handler || !startReq) {
+      ss.approvalPending = false;
+      if (ss.deferredClose) {
+        const close = ss.deferredClose;
+        ss.deferredClose = null;
+        close();
+      }
+      return;
+    }
+    let decision;
+    try {
+      decision = await handler(tools);
+    } catch (err) {
+      ss.approvalPending = false;
+      if (!ss.streamClosed) controller.error(err);
+      return;
+    }
+    ss.approvalPending = false;
+    this.cleanupClient(ss, false);
+    const approval = decision.approved ? { approval: { tool_name: tools[0]?.name, tool_args_json: tools[0]?.args } } : { rejection: { message: decision.message ?? "User rejected" } };
+    const newStartReq = { ...startReq, approval };
+    const newClient = new GitLabWorkflowClient();
+    this.activeClients.add(newClient);
+    ss.activeClient = newClient;
+    const modelRef = await this.resolveModelRef();
+    try {
+      await newClient.connect(
+        {
+          instanceUrl: this.config.instanceUrl,
+          modelRef,
+          headers: this.config.getHeaders(),
+          projectId: this.workflowOptions.projectId,
+          namespaceId: this.workflowOptions.namespaceId,
+          rootNamespaceId: this.workflowOptions.rootNamespaceId
+        },
+        (event) => this.handleWorkflowEvent(
+          ss,
+          event,
+          controller,
+          newClient,
+          toolExecutor,
+          nextTextId,
+          availableToolNames,
+          newStartReq
+        )
+      );
+      newClient.sendStartRequest(newStartReq);
+    } catch (err) {
+      this.cleanupClient(ss, true);
+      if (!ss.streamClosed) controller.error(err);
+    }
+  }
   // ---------------------------------------------------------------------------
   // Workflow metadata
   // ---------------------------------------------------------------------------